Authentication of remote host via closed ports

ABSTRACT

A method, system and apparatus for authenticating a communication request sent from a client computing device. The communication request is initially blocked by a firewall preventing delivery to a server. A first logging event corresponding to the communication request is created. The communication request and the logging event are stored in a firewall. The server is notified of the first logging event. The communication request corresponding to the first logging event is authenticated. A port in the firewall is enabled if the communication request is authenticated.

BACKGROUND OF THE INVENTION

1. Statement of the Technical Field

The present invention relates to network communication security and moreparticularly to a method and system for allowing a server toauthenticate a client without initially permitting direct communicationbetween these devices.

2. Description of the Related Art

With the proliferation of public access communication networks such asthe Internet, security and integrity of data is a concern that permeatessociety. Related to this concern is the availability of server resourcesand the need to provide availability and access to potentially sensitivedata in the face of malicious unauthorized access attempts, i.e.,hackers, as well as attempts to destroy data and computing resources,i.e., viruses and worms. These computer hackers and viruses and wormsare constantly probing and analyzing networks, servers and othercomputing resources for vulnerabilities that can be exploited.

Many schemes for protecting data and unauthorized access to computingresources exist, ranging from general password protection to moresophisticated firewall arrangements. As typically occurs in Internetcommunications, when a client computer seeks to access a web server, therequest in the form of an Internet Protocol (“IP”) packet is routedthrough a series of networks. IP layers, such as the TransmissionControl Protocol (“TCP”) layer uses a logical port number assigned toeach message so that the recipient device can determine the type ofservice being is requested/provided. These logical ports are thereforereference numbers used to define a service. Logical port numbers arestraight unsigned integer values which range up to a value of 65535.Some logical ports are assigned, some reserved and many unassigned whichmay be utilized by application programs. For instance, the hypertexttransfer protocol (“HTTP”) uses port 80 to provide web browsingservices.

In order to allow services like internet web browsing to be used, thesupporting ports, like port 80, are typically left unblocked byfirewalls so that the corresponding data, for example a request forinformation, can be received by the web server. Once the data has passedthrough the firewall, the web server typically blindly accepts the data,processes it and sends the result back to the originating clientcomputer. Such can even be the case where a web server receives arequest and replies by requesting a password and/or ID.

These arrangements make the servers vulnerable to the above-describedattacks. These arrangements also disadvantageously require a significantamount of administration by requiring administrators to constantlyupdate firewall rule sets after the attacks have been made. It istherefore desirable to have a system and method which allows clientcomputers to communicate with servers via a firewall in which thefirewall does not need to have certain ports allowed by default, i.e.the firewall blocks all incoming traffic regardless of port number.

SUMMARY OF THE INVENTION

The present invention addresses the deficiencies of the art in respectto authentication and provides a novel and non-obvious method, systemand apparatus for authenticating a client computer to a server. In thisregard, a multilayered authentication technique is used to preventvirus/worms and hackers from scanning ports. The multilayered techniqueadvantageously prevents initial direct communication, e.g. communicationsessions, between the client computer and the server by logging thecommunication request in a firewall and notifying the server that aclient communication request is pending.

According to one aspect, the present invention provides a system forauthenticating a communication request sent from a client computingdevice in which a firewall is in data communication with a server. Thefirewall has a processing unit and a storage unit. The processing unitoperates to perform functions including initially blocking thecommunication request and creating a first logging event correspondingto the communication request. The storage unit stores the communicationrequest and the logging event. The server is in data communication withthe firewall. The server has a processing unit operating to performfunctions including receiving notification of the first logging eventcreated by the firewall, authenticating the communication requestcorresponding to the first logging event and enabling a port in thefirewall if the communication request is authenticated.

According to another aspect, the present invention provides a method forauthenticating a communication request sent from a client computingdevice in which the communication request is initially blocked toprevent delivery to a server. A first logging event corresponding to thecommunication request is created. The communication request and thelogging event are stored in a firewall. The server is notified of thefirst logging event. The communication request corresponding to thefirst logging event is authenticated. A port in the firewall is enabledif the communication request is authenticated.

According to still another aspect, a machine readable storage devicehaving stored thereon a computer program for authenticating acommunication request sent from a client computing device is provided.The computer program includes a set of instructions which when executedby a machine causes the machine to perform a method in which thecommunication request is initially blocked to prevent delivery to aserver. A first logging event corresponding to the communication requestis created. The communication request and the logging event are storedin a firewall. The server is notified of the first logging event. Thecommunication request corresponding to the first logging event isauthenticated. A port in the firewall is enabled if the communicationrequest is authenticated.

Additional aspects of the invention will be set forth in part in thedescription which follows, and in part will be obvious from thedescription, or may be learned by practice of the invention. The aspectsof the invention will be realized and attained by means of the elementsand combinations particularly pointed out in the appended claims. It isto be understood that both the foregoing general description and thefollowing detailed description are exemplary and explanatory only andare not restrictive of the invention, as claimed.

BRIEF DESCRIPTION OF THE DRAWINGS

The accompanying drawings, which are incorporated in and constitute partof this specification, illustrate embodiments of the invention andtogether with the description, serve to explain the principles of theinvention. The embodiments illustrated herein are presently preferred,it being understood, however, that the invention is not limited to theprecise arrangements and instrumentalities shown, wherein:

FIG. 1 is a diagram of an exemplary system constructed in accordancewith the principles of the present invention;

FIG. 2 is a flow chart of the overall process of the present invention;

FIG. 3 is a flow chart of the client content request preparation andtransmission process (Step S200) of FIG. 2; and

FIG. 4 is a flow chart of the process of authenticating the clientcomputer communication request (Step S204) of FIG. 2.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

The present invention advantageously provides a method, system andapparatus for allowing communication between a server, such as a webserver, and a client computer, such as a computer running web browsersoftware, in a manner which allows the server to authenticate the clientcomputer using a multi-layered authentication and data exchangetechnique. This technique does not require the firewall to respond tothe requests and does not initially allow the client computer todirectly communicate with the server. As used herein, references toauthentication of the client computer is intended to includeauthentication of the actual client computer and/or a user of thecomputer.

Referring now to the drawing figures in which like reference designatorsrefer to like elements there is shown in FIG. 1 a system constructed inaccordance with the principles of the present invention and designatedgenerally as “100”. System 100 includes client computer 102 coupled toserver 104 through network 106 and firewall 108. Network 106 can be anycomputer network capable of transporting data between client computer102 and firewall 108. As used herein, the term “data” includes all formsof digital communication including but not limited to alpha-numericinformation, audio, video, and any other form of encoded or encryptedinformation. Further, although firewall 108 and server 104 are shown asseparate elements in FIG. 1 and are described separately herein, it isunderstood that firewall 108 and server 104 can be implemented as asingle physical unit with the functions of each device performed by oneor more processing units and associated computing hardware in one ormore physical chassis.

Client computer 102 can be any computing device capable of requestinginformation from a server, such as may be provided by web browsingsoftware. For example, client computer 102 can be a desktop or laptopcomputer, a personal digital assistant (“PDA”) and the like. Clientcomputer 102 includes hardware components as known in the art and as maybe required to implement the functions of the present inventiondescribed herein. For example, client computer 102 can include a storageunit such as volatile or non-volatile memory, a central processing unit,input and output devices, network interface hardware, display units andthe like, controlled by an operating system and/or one or moreapplication software programs.

Similarly, server 104 generally includes the same types of hardwarecomponents described above with respect to computer 102. Server 104 isarranged to provide information to client 102 based on requestsinitiated by client 102. For example, server 104 can be a web server.The hardware elements of server 104 are arranged to provide thefunctions described herein with respect to the authentication of arequest for information, i.e., content request originated by client 102.

Firewall 108 generally includes the hardware described above withrespect to client computer 102, including the storage unit andprocessing unit, and includes the programmatic software needed toimplement the functions described herein. Of note, it is presumed thatone or ordinary skill in the art can write programmatic software using aknown computing software language to implement the functions of theinvention described herein as may be performed by client computer 102,server 104 and/or firewall 108. Authentication process 110 is performedby client computer 102, server 104 and/or firewall 108.

The overall process, authentication process 110, of the invention isdescribed with reference to FIG. 2. Initially, client computer 102prepares and sends a request for content to server 104 (Step S200). Theintended destination of the request is addressed to what the clientcomputer 102 believes is the address, such as a TCP/IP address of server104. Firewall 108 operates to initially block the communication requestsent by client computer 102 and logs the request as well as the dataand/or packet(s) embodying the request in its storage unit (Step S202).Server 104 is notified that a log entry has been made in firewall 108for communication and evaluates the request (Step S204) to determinewhether the client should be authenticated (Step S206). If the client isauthenticated, the communication request is honored and server 104instructs firewall 108 to enable one or more ports in the firewall toallow communication between client 102 and server 104 (Step S208).

For example, client 102 may be requesting web content from server 104.If the communication request is authenticated, server 104 may instructfirewall 108 to enable port TCP/IP port 80 to allow client 102 tocommunicate with server 104 using the well known http port as this portis commonly used for TCP/IP web communication.

As noted above, with respect to Step S204, server 104 receivesnotification that firewall 108 has logged a communication request fromclient 102 for content. It is contemplated that this notification can bereceived in any number of ways. For example, server 104 can monitor thelog in firewall 108 to determine when an entry for a communicationrequest has been made. As another example, firewall 108 can proactivelynotify server 104 of the creation of a communication request log entry.In other words, the notification of the communication request log entrycan be pushed to server 104 or can be pulled from firewall 108.Techniques for pushing and pulling data and for monitoring log computerlog entries are known and are not described herein.

A detailed example of the client content request preparation andtransmission process of Step S200 is described with reference to FIG. 3.The first layer of the multi-layer authentication technique of thepresent invention is a matching of a hash of addresses corresponding tothe requesting client computer 102. Accordingly, client computer 102hashes its IP and MAC address (Step S300). The hash can be performedusing a predetermined hashing protocol or a dynamically changingprotocol, such as is done by the SECUREID system. It is alsocontemplated that positional coordinates using global position system(“GPS”) enhanced computers can also be factored into the hashingalgorithm, thereby adding an additional layer of location-specificsecurity to the system.

The communication request transmitted by client 102 and stored in thestorage unit of firewall 108 therefore includes the hashed addresses(and optional GPS positional coordinates) as well as these sameaddresses and coordinates in the clear, i.e., not hashed. Thecommunication request is transmitted to a predefined port(s) or a seriesof ports in a predetermined order (Step S302). As noted above, withrespect to Step S202 in FIG. 2, stateful firewall 108 intercepts therequest destined for server 104.

By blocking all communication requests at firewall 108, the presentinvention blocks all hackers and viruses/worms from reaching server 104.Initially, the only knowledge that server 104 has of the communicationrequest from client 102 is notification of the log entry.

The authentication of the communication request (Step S204) of FIG. 2 isexplained in detail with reference to FIG. 4. Initially, server 104detects that the log in firewall 108 has been updated (Step S400).Methods for notifying server 104 of a firewall log update are describedabove. Server 104 obtains the communication request stored in firewall108 along with the logging data and hashes the clear IP and MAC addressin the communication request (Step S402) using the same hashingalgorithm used by client computer 102. Server 104 compares the addressesit hashed with the hashed addresses (and optional GPS positionalinformation) created by client computer 102 and included in thecommunication request to determine if the two hashes match (Step S404).If the hashes do not match, the authentication fails (Step S 406) andthe communication request is not honored by server 104. Matching hashesare a strong indication that client computer 102 is not “spoofed” i.e.that the communication request was actually initiated by client computer102 and not an imposter.

If the hashes match, the first layer of the multi-layer authenticationprocess is deemed successful and server 104 sends a unicast request toclient computer 102 asking for the server's public encryption key (StepS408). The public key can be per IP port or per service. The public keyis typically distributed to client computer 102 at the time thecorresponding communication software and/or application and/or operatingsystem is installed. Upon receiving the request, client computer 102transmits the public key to server 104.

However, as with the initial communication request, because no portshave been opened to allow direct communication from client computer 102to server 104, the packet(s) containing the public key are blocked byfirewall 108. Firewall 108 logs the receipt of the public key and storesthis log entry as well as the corresponding public key in its storageunit. As with the initial communication request, server 104 is notifiedof the log entry. Server 104 obtains the public key from firewall 108and tests the public key (Step S410). The public key can be tested byserver 104, for example, by encrypting test data with the public key andthen trying to decrypt the same data using its private keys. If thedecryption is successful, the client (communication request) areauthenticated (Step S414). If the decryption is not successful, theauthentication has failed (Step S406).

The present invention can be realized in hardware, software, or acombination of hardware and software. An implementation of the methodand system of the present invention can be realized in a centralizedfashion in one computer system, or in a distributed fashion wheredifferent elements are spread across several interconnected computersystems. Any kind of computer system, or other apparatus adapted forcarrying out the methods described herein, is suited to perform thefunctions described herein.

A typical combination of hardware and software could be a generalpurpose computer system with a computer program that, when being loadedand executed, controls the computer system such that it carries out themethods described herein. The present invention can also be embedded ina computer program product, which comprises all the features enablingthe implementation of the methods described herein, and which, whenloaded in a computer system is able to carry out these methods.

Computer program or application in the present context means anyexpression, in any language, code or notation, of a set of instructionsintended to cause a system having an information processing capabilityto perform a particular function either directly or after either or bothof the following a) conversion to another language, code or notation; b)reproduction in a different material form. Significantly, this inventioncan be embodied in other specific forms without departing from thespirit or essential attributes thereof, and accordingly, referenceshould be had to the following claims, rather than to the foregoingspecification, as indicating the scope of the invention.

We claim:
 1. A system for authenticating a communication request sentfrom a client computing device, the system comprising: a firewall thatinitially blocks all incoming traffic regardless of port number, thefirewall comprising: a processing unit operating to perform functionsincluding: initially blocking the communication request; creating afirst logging event corresponding to the communication request; and astorage unit, the storage unit storing the communication request and thefirst logging event; and a server in data communication with thefirewall, the server having a processing unit, the processing unitoperating to perform functions including: receiving notification of thefirst logging event created by the firewall; authenticating thecommunication request corresponding to the first logging event using amulti-layer authentication process including a first layerauthentication of the communication request that includes generating asecond hash of a plurality of clear addresses corresponding to theclient computing device by the server using the same hashing algorithmand matching the second hash with the first hash and a second layerauthentication of the communication request that includes transmitting arequest to the client computing device for a public key corresponding tothe server if the first and second hashes match; and enabling a port inthe firewall only if the communication request is authenticated by thefirst and second layer authentications.
 2. The system according to claim1, wherein the communication request contains a plurality of clearaddresses corresponding to the client computing device and a first hashof the plurality of clear addresses generated by the client computingdevice using a predetermined hashing algorithm.
 3. The system accordingto claim 1, wherein the second layer authentication further includes thefirewall receiving the public key corresponding to the server from theclient computing device; creating a second logging event correspondingto the public key storing the second logging event and the public key inthe firewall storage unit; notifying the server of the second loggingevent; and the server receiving the notification of the second loggingevent; acquiring the public key from the firewall; and testing thepublic key.
 4. The system according to claim 2, wherein the plurality ofclear addresses corresponding to the client computing device include anInternet Protocol Address and a Media Access Control layer address.
 5. Amethod for authenticating a communication request sent from a clientcomputing device directed to a server, the method comprising: initiallyblocking the communication request from delivery to the server by afirewall that initially blocks all incoming traffic regardless of portnumber; creating a first logging event corresponding to thecommunication request; storing the communication request and the firstlogging event in the firewall; notifying the server of the first loggingevent; authenticating the communication request corresponding to thefirst logging event by the server using a multi-layer authenticationprocess including a first layer authentication of the communicationrequest that includes generating a second hash of a plurality of clearaddresses corresponding to the client computing device by the serverusing the same hashing algorithm and matching the second hash with thefirst hash and a second layer authentication of the communicationrequest that includes transmitting a request to the client computingdevice for a public key corresponding to the server if the first andsecond hashes match; and enabling a port in the firewall only if thecommunication request is authenticated by the first and second layerauthentication.
 6. The method according to claim 5, wherein thecommunication request contains a plurality of clear addressescorresponding to the client computing device and a first hash of theplurality of clear addresses generated by the client computing deviceusing a predetermined hashing algorithm.
 7. The method according toclaim 5, wherein the second layer authentication further includes:receiving the public key from the client computing device, the publickey corresponding to the server; creating a second logging eventcorresponding to the received public key; storing the second loggingevent and the received public key; notifying the server of the secondlogging event; and testing the received public key.
 8. The methodaccording to claim 6, wherein the plurality of clear addressescorresponding to the client computing device include an InternetProtocol Address and a Media Access Control layer address.
 9. The methodaccording to claim 5, wherein the first hash and the second hash furtherinclude positional coordinates corresponding to the client computingdevice.
 10. A machine readable storage device having stored thereon acomputer program for authenticating a communication request sent from aclient computing device directed to a server, the computer programcomprising a set of instructions which when executed by a machine causesthe machine to perform a method including: initially blocking thecommunication request from delivery to the server by a firewall thatblocks all incoming traffic regardless of port number; creating a firstlogging event corresponding to the communication request; storing thecommunication request and the first logging event in the firewall;notifying the server of the first logging event; authenticating thecommunication request corresponding to the first logging event by theserver using a multi-layer authentication process including a firstlayer authentication of the communication request that includesgenerating a second hash of a plurality of clear addresses correspondingto the client computing device by the server using the same hashingalgorithm and matching the second hash with the first hash and a secondlayer authentication of the communication request that includestransmitting a request to the client computing device for a public keycorresponding to the server if the first and second hashes match; andenabling a port in the firewall only if the communication request isauthenticated by the first and second layer authentication.
 11. Themachine readable storage device according to claim 10, wherein thecommunication request contains a plurality of clear addressescorresponding to the client computing device and a first hash of theplurality of clear addresses generated by the client computing deviceusing a predetermined hashing algorithm.
 12. The machine readablestorage device according to claim 10, wherein the second layerauthentication further includes: receiving the public key from theclient computing device, the public key corresponding to the server;creating a second logging event corresponding to the received publickey; storing the second logging event and the received public key;notifying the server of the second logging event; and testing thereceived public key.
 13. The machine readable storage device accordingto claim 11, wherein the plurality of clear addresses corresponding tothe client computing device include an Internet Protocol Address and aMedia Access Control layer address.
 14. The machine readable storagedevice according to claim 10, wherein the first hash and the second hashfurther include positional coordinates corresponding to the clientcomputing device.